This application claims priority from Japanese Patent Application Reference No. P00-010115, filed Jan. 14, 2000, the entire content of which is incorporated herein by reference for all purposes.
The present invention relates generally to storage subsystems, and in particular to techniques for providing access to Logical Units within a storage subsystem by host computers.
Conventionally, security methodologies designed to prevent an illegal access to a storage subsystem by host computers depend on the functions of OS (Operating System), middleware or application software on the host side.
On the other hand, as the fiber channel protocol has been standardized in recent years, the various standard protocols such as SCSI, ESCON, and TCP/IP have become available to be used as the interface between the host computers and the storage subsystem, resulting in more and more efficient use of the storage resources within the storage subsystem.
However, because more than one host computer accesses one storage subsystem, the traditional security approaches that depend on operating system (OS), middleware, or application software on the host computer side, are increasingly recognized as providing insufficient security for the resources in modern storage subsystems.
What is really needed are techniques for performing security functions in computer storage subsystems connected to one or more host computers via high performance channel interfaces.
According to the present invention, techniques for performing security functions in computer storage subsystems in order to prevent illegal access by the host computers according to logical unit (LU) identity are provided. In representative embodiments management tables can be used to disclose the Logical Unit in the storage subsystem to the host computers in accordance with the users operational needs. In a specific embodiment, accessibility to a storage subsystem resource can be decided when an Inquiry Command is received, providing systems and apparatus wherein there is no further need to repeatedly determine accessibility for subsequent accesses to the Logical Unit. Many such embodiments can maintain relatively high performance, while providing robust security for each Logical Unit.
In a representative embodiment according to the present invention, a computer system is provided. The computer system can comprise a variety of components, such as one or more host computers and one or more storage subsystems. Each storage subsystem can comprise one or more logical units, for example. A data channel can interconnect the host computers with the storage subsystem. The host computers can request availability of one or more of the logical unit in one of the storage subsystems. Such request can comprise identity information corresponding to the particular host computer, and a virtual logical unit identifier of the logical unit, the availability of which is being requested. In response, the storage subsystem determines whether the requesting host computer may permissibly access the logical unit requested based upon the virtual logical unit identifier and the identity information from the request.
In specific embodiments of the computer system, identity information corresponding to the one or more host computers further comprises a dynamically assignable identifier. The storage subsystem determines a unique identifier for the one or more host computers from the identity information in the request; and then determines whether the host computer requesting access may permissibly access the logical unit based upon the virtual logical unit identifier and the unique identifier.
In another representative embodiment according to the present invention, a storage subsystem is provided. The storage subsystem can comprise a management table that defines relationships among the information WWN which uniquely identifies the accessing host computer, a Logical Unit Number (LUN) in the storage subsystem which the host computer is permitted to access, and a Virtual Logical Unit Number (Virtual LUN) which is created from the LUN identifiers in any way of numbering in accordance with user""s convenience. Specific embodiments can also include a management table that defines the linkages between a Management Number (S_ID) dynamically assigned by the storage subsystem to identify a host computer, and a World Wide Name (WWN) which uniquely identifies the accessing host computer. The management tables can be stored in a non volatile memory, for example. Some specific embodiments can comprise more than one storage unit, and the like. A storage control unit to control the read/write operations from/to said storage units can also be part of the storage subsystem. Specific embodiments can also include more than one communication port to connect to a plurality of host computers, and Logical Units corresponding to the storage areas in said storage units.
In a specific embodiment according to the present invention, in the storage subsystem, the assigned S_ID is used as an identity information of the host computer instead of the WWN. Such embodiments do not require checking the accessibility to the LUN each time an I/O operation is executed, resulting in less overhead in each I/O operation. Also, users are free to rearrange LUNs in any desired way by making use of the Virtual LUNs.
In a further representative embodiment according to the present invention, the storage subsystem retrieves an identity information, such as the Company_ID, that is common to a certain group of host computers, partially from the WWN. By performing the accessibility control on the basis of the group having the common identity information, the storage subsystem provides the host computer with storage resource format, application, service, and specific pressing valid only for that particular host computer group.
Numerous benefits are achieved by way of the present invention over conventional techniques. The present invention can provide the security functions that prevent illegal accesses by limiting accessibility of Logical Units by each host computer, without additional modification of the current operation of the host computer. Many embodiments can also provide the security function to prevent illegal accesses by limiting accessible Logical Units according to each vendor of the host computers, without additional modification of the current operation on the host computer side. Further, select embodiments according to the present invention can provide permission to access storage resources based on security functions to host computer groups. Such permission can be according to vendor, and service can be specifically tailored for the group. Specific embodiments can provide highly efficient use of the storage resources and fast accessibility judgment logic.